XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. missing DigiCert root in Certificate Authorities

    Missing DigiCert root in Certificate Authorities
    Uploaded PFX certificates from DigiCert are signed with red cross because root certificate "C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA " is missing in Certificate Authorities.
    So this certificate cannot be added as appliance cert.
    Please add it.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  2. backup to central

    With the integration started with Sophos Central, it would be great if the last x number backups could be pushing into Sophos Central. This would provide a few capabilities. One - It could be backed centrally up without the required MR4 password affix to it, so no prior knowledge would be required to restore that backup if hardware failed. Two, it would create snapshots of the configs in time for audit / discover purposes, hopefully eventually leading into a change log of all UTM config changes. Three, in DR scenarios it exists outside of all company systems and people, so…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  3. Al

    Suggestion with regards to how XG Firewall handles backups. I would love to have the option to auto backup when the config changes. Weekly or daily often leaves me with either to many backups or the possibility of having a backup with missed changes

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  4. Updated API documentation for Country Host Groups

    The API documentation on your site is either outdated or just wrong in regards to Country Host Groups. The actual parameter is <CountryGroup>, but isn't listed anywhere in the documentation. The sub-parameter to pass it is <CountryList>, not <CountryHost>, which in turn needs to be passed a series of sub-parameters of type <Country>. There is also no example listed.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow upload of certificates with special characters in passphrase

    Currently I can upload certificates with keys including special characters to the "Certificates" tab under "Certificates". Unfortunately, uploading the same certificate under the "Certificate authorities" tab results in the following error:

    Special characters |, `, ', ", <, >, (, ) and \ are not allowed in the passphrase

    I don't see why special characters can be used in the passphrase for "Certificates" but not "Certificate authorities". Please allow special characters to be used in passphrases under "Certificate authorities".

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  6. speedtest

    Other manufacturers like meraki offer a speed test on the WAN bandwidth and available throughput.

    29 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  7. Integrate NTOPNG or similar funtionality into SFOS

    There is a Linux utility called ntopng https://www.ntop.org which is very good at identifying and classifying network traffic at high speed. If you could integrate this into SFOS it would be a very powerful tool.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  8. WAN Failover Options and Ranges

    WAN Failover needs at least to have ranges
    Example: Ping between 0 and 100 consider WAN up

    Packet Loss would even be better
    Example: Packet loss higher than 10% consider WAN down

    The other vendors have these options, WAN Failover is pretty useless when a line can have a 2000 ping and 75% packet loss and still be considered up... These are the most common problems with the biggest carriers in the US such as comcast...

    22 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  9. Importing groups: disable MAC binding option

    Get the option to disable MAC binding while importing groups from an authentication server (Example: Active Directory), this because it can be easily forgotten afterwords and this can break SSL VPN for users in the new groups because MAC binding is not supported on SSL VPN.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  10. Split OTP from password entry field

    When OTP is enabled, provide a separate text box for the OTP on the WebAdmin, Captive Portal and VPN credential screens.

    It is not explicit that users are required to enter the OTP at the moment as it is just appended to their password, which can cause issues for staff trying to connect or login to resources as this is fundamentally different to how they enter OTP's in other applications.

    In order to resolve this issue it should be made clear to users that they have to enter the OTP in the form of an additional text box that only…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  11. Custom Admin User Profiles

    Would like to have the ability to create a user profile that is somewhere between full admin and general user something like a power user and be able to define what they can and cannot access when logged into the admin console.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  12. Better Handling of Cell Modems

    The Cellular Modem page under networks leaves a lot to be desired. There should be many more options to configure connections and a signal strength meter. Look to the Modem Manager application on Linux for inspiration, something like that in the XG would be fantastic. Also need more support for modern cell modems, the compatability list is starting to become quite dated. With 3G ending this year I think it is soon time to prune all 3G only devices and start supporting LTE/4G/5G models.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add the Use of Network Groups (objects) to Routing and firewall rules

    The issue seems pretty simple. On the SG, I was able to define Network groups, e.g. MOE_Group, MPLS_Group. From that, I was able to define my sites and put them into those groups which would provide firewall rules and routing. We never made it to the rules but the routing is what is killing me. Again, in the SG, I am able to define Static Gateway Routes using my Network Groups:

    Route Type: Gateway route
    Network: MOE_Group
    Gateway: MOE Router ( a router on the trusted internal network )

    Route Type: Gateway route
    Network: MPLS_Group
    Gateway: MPLS Router ( a…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  14. 8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  15. IP Host List Can not be download in .CVS format

    IP Host List Can not be download in .CVS format. It is downloaded in html format.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  16. Harmonize log format

    Current log format has key=value pairs, which are easy to manage in certain centralized logging solutions. However, some of these values contains quotation marks " and some does not. As there are several longer values, a quotation mark is reasonable and thus every value should have quotation marks.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  17. Implement partial or wildcard filters in firewall user/network rule criteria

    Currently partial matches do not yield results if the filter doesn't start the same way as the criterion.

    Example:
    "and" will show "Andorra"
    "dorra" will not show anything (i.e. "Andorra" is not shown)

    "la" will show "LAN"
    "an" will not show "LAN"

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  18. Firewall group should not close every time a rule is moved

    Every time a rule is moved (up or down) within a group that group is automatically closed.

    This is rather cumbersome if multiple rules need to be moved, or if you simply want to make sure the rule was moved to the right position.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  19. Specify authentication method for RADIUS/TACACS+ users

    On the SG firewall, an admin could create a user and specify which method of remote authentication would be used. This is not possible on the XG. As a result, a new admin must first authenticate on the User Portal, then an existing admin can change that newly created user to an admin. This is an unnecessary step that could be improved by allowing admins to specify which remote authentication method should be used per user.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow for longer domain names in Parent Proxy field

    Currently there is a limit of 40 characters in the Parent Proxy field:
    Routing > Upstream Proxy > Parent Proxy > Domain Name/IPv4 Address

    Support was unable/unwilling to fix, looking for XG firewall to allow for longer entries in this field. Anything more than 40 characters is truncated, which breaks the parent proxy operation.

    Character limits in the upstream proxy field (currently capped at 40 characters), impacts use of upstream proxies with long names such as webdefence-pool-01.cluster-nyca.forcepoint.net

    Support case for reference (not being fixed by sophos when case was opened 3-13-2019)
    [#8693303] Parent Proxy field truncates at 40 Characters, need…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Base System + General UI  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.